On May 5, 2020, the Seventh Circuit held that violations of the section 15(b) disclosure and informed consent provisions of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) constitute “an invasion of personal rights that is both concrete and particularized” for the purposes of establishing Article III standing to sue in federal courts.  However, the Seventh Circuit also held that the alleged harms associated with violations of section 15(a) of BIPA were insufficient to establish Article III standing.  Section 15(a) mandates public disclosure of a retention schedule and guidelines for permanent destruction of collected biometric information.

Covington has previously discussed developments in BIPA litigation, which has proliferated in recent years with the advancement of relevant technologies.  The increase in BIPA litigation has been accompanied by a rise in disputes over the nature of the harm required to sustain an action, both in state and federal courts.  Although this issue was seemingly resolved at the state-level by the Illinois Supreme Court’s 2019 Rosenbach decision, federal courts have continued to grapple with the issue for the purposes of Article III standing.
Continue Reading Seventh Circuit Rules on Article III Standing Issues in Illinois BIPA Lawsuit, Allowing Case to Proceed in Federal Court

As many data breach litigation cases have demonstrated over recent years, the question of a plaintiff’s standing can be quite important to the outcome of each case.  While the Supreme Court has addressed standing issues in several cases with potential applicability in the data breach litigation context, most recently in Spokeo, Inc. v. Robins and Clapper v. Amnesty International, the Court has not yet addressed head-on the question of standing requirements for plaintiffs in data breach litigation.  More recently, a cert petition in another data breach standing case (In re Zappos.com), discussed below, has been distributed for conference this Friday, December 7, 2018.  As the Court considers whether to grant cert and address this issue, this post provides an overview of the circuit split on standing in data breach litigation cases and efforts to convince the Court to revisit the issue and provide more precise guidance. 
Continue Reading Standing Issues in Data Breach Litigation: An Overview

The Supreme Court released its highly anticipated decision yesterday in Spokeo, Inc. v. Robins, which addresses whether plaintiffs have standing to pursue statutory damages even in the absence of actual harm under the Fair Credit Reporting Act (“FCRA”).  As we previously reported, the case was expected to have significant down-stream implications for standing in privacy class action litigation, because numerous privacy-related federal laws have been construed to allow statutory damages even in the absence of actual injury (e.g., the Telephone Consumer Protection Act).
Continue Reading Supreme Court Issues Highly Anticipated Spokeo Decision

In the closely-watched case of Spokeo, Inc. v Robins, the Solicitor General recently filed an amicus brief urging the Court to deny certiorari and leave in place the 9th Circuit’s holding, which could encourage the rising tide of privacy class action litigation.  The Solicitor General’s brief—coauthored by the Consumer Financial Protection Bureau—argued that the

This week, in a 5-4 decision in Clapper et al. v. Amnesty International USA et al., the United States Supreme Court rejected two theories of Article III standing presented by a group of attorneys, human rights, labor, legal, and media organizations who sought a declaration that surveillance under section 1881a of the Foreign Intelligence Surveillance Act (“FISA”) is unconstitutional as well as an injunction against section 1881a-authorized surveillance.

These respondents argued first that, because their work requires them to engage in sensitive and/or privileged communications with individuals located abroad who are likely targets of surveillance, there was an objectively reasonable likelihood that their communications would be acquired under section 1881a at some point in the future, thus causing them injury.  (Section 1881a, which was added by the FISA Amendments Act of 2008, authorizes, under certain circumstances, the government surveillance of individuals who are not “United States persons” and are reasonably believed to be located outside the United States).  Second, the respondents maintained that the risk of surveillance under section 1881a is so substantial that they had been forced to take costly and burdensome measures to protect the confidentiality of their communications that constitute present injury and are fairly traceable to section 1881a.

The Supreme Court rejected each of these arguments holding (1) that respondents’ “highly attenuated chain of possibilities” and theory of future injury was too speculative to satisfy the well-established Article III standing requirement that threatened injury be “certainly impending” and, moreover, that they could not establish that the injury was fairly traceable to section 1881a; and (2) that the respondents “cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending.”


Continue Reading Supreme Court Nixes FISA Surveillance Suit on Standing Grounds

Yesterday, deeming LinkedIn’s motion to dismiss suitable for decision without oral argument, Judge Koh of the U.S. District Court for the Northern District of California dismissed all eight claims in Low v. LinkedIn with prejudice, ending this litigation.  Covington successfully represented LinkedIn in this case, in which plaintiffs alleged that the purported transmittal to certain

By Mali Friedman and Simon Frankel

With all eyes on the Affordable Care Act today, the United States Supreme Court also quietly dismissed a case that could have had a profound impact on a wide range of citizens’ rights litigation—First American Financial Corp. v. Edwards.  Stating only that the writ of certiorari had

Employees whose personal information might have been accessed in a data breach cannot sue the breached company in federal court based only on the possibility that the breach might lead to identity theft, a federal appeals court ruled Monday.

The case, Reilly v. Ceridian Corporation, is a proposed class action brought by employees whose companies used Ceridian Corporation to process company payrolls. An unknown hacker breached Ceridian’s firewall in December 2009, potentially gaining access to payroll information such as names, Social Security numbers, birth dates and bank account numbers. However, the lawsuit did not allege that the hacker actually accessed, copied, or misused the data. Instead, the plaintiffs based their claim on their allegedly increased risk of identity theft, their emotional distress, and the credit-monitoring costs they incurred.


Continue Reading Federal Appeals Court: Risk of ID Theft Does Not Confer Standing for Data Breach Suit

Class action lawsuits are increasingly being brought against organizations that have suffered data breaches, as well as against companies that are alleged to have allowed third parties access to online or mobile users’ confidential information without authorization (for example the recent Del Vecchio v. Amazon and Low v. LinkedIn cases).  A repeated issue in these

The United States District Court for the Western District of Seattle recently dismissed an online privacy case involving the alleged improper use of browser and Flash cookies in Del Vecchio v. Amazon.  Finding that the plaintiff “simply not plead adequate facts to establish any plausible harm,” this opinion follows closely on the heels of